grpcc icon indicating copy to clipboard operation
grpcc copied to clipboard
verified publisher icon njpatel

Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

Open Kliton opened this issue 8 years ago • 17 comments

Kliton avatar Sep 01 '17 15:09 Kliton

Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

Kliton avatar Sep 01 '17 15:09 Kliton

+1 same error here.

danbopes avatar Sep 05 '17 13:09 danbopes

+1 same error here

vindu939 avatar Sep 12 '17 13:09 vindu939

+1

srz09 avatar Oct 10 '17 11:10 srz09

Same error. Anybody figured it out yet?

rochdev avatar Oct 12 '17 12:10 rochdev

Hi, I've been busy recently but I'll take a look at this tomorrow evening. Does anyone have a test case or a way to reproduce the error?

njpatel avatar Oct 12 '17 12:10 njpatel

I'm pretty sure it's just a newer version of grpc. Fire up the latest version, and you should get the error.

danbopes avatar Oct 12 '17 13:10 danbopes

I have faced that i was missing the -i flag. C

Kliton avatar Oct 18 '17 10:10 Kliton

@Kliton Please reopen as this is still an issue when actually using SSL and thus not using the -i flag on purpose

rochdev avatar Oct 18 '17 21:10 rochdev

I've been doing some digging and i found the following links, maybe that'll help debug the issue:

https://github.com/grpc/grpc/issues/9761 https://github.com/grpc/grpc/issues/6757

Can I confirm that your servers & client machines have the root ca-certificates installed and you're not passing in a specific certificates? (And, if not, please describe the ssl setup you're using).

njpatel avatar Oct 20 '17 10:10 njpatel

It might also be worth upgrading your grpcc and testing with latest (v1.0.0). If you continue to have the issue, I'd appreciate it if you provide some details (see my comment above). Cheers.

njpatel avatar Oct 20 '17 18:10 njpatel

hello, is the problem an old version of openssl? i have the same issue and i am trying updating openssl at the moment...

mistersms avatar Jun 06 '18 10:06 mistersms

Hello, I am also facing this issue

E0622 13:02:23.663000000  4784 src/core/tsi/ssl_transport_security.cc:1063] Handshake failed with fatal error SSL_ERROR_SSL: error:10000095:SSL routines:OPENSSL_internal:ERROR_PARSING_EXTENSION.
Traceback (most recent call last):
  File "ttn_demo.py", line 11, in <module>
    handler = ttn.HandlerClient(app_id, access_key)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\handler.py", line 30, in __init__
    self.__open(discovery_address)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\handler.py", line 39, in __open
    self.announcement = discovery.get_by_app_id(self.app_id)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\discovery.py", line 48, in get_by_app_id
    return self.client.GetByAppID(req)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\grpc\_channel.py", line 500, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\grpc\_channel.py", line 434, in _end_unary_response_blocking
    raise _Rendezvous(state, None, None, deadline)
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.NOT_FOUND, discovery:app_id:0x70B3D57ED000F8FF not found)>

rejeeshchandran avatar Jun 22 '18 07:06 rejeeshchandran

I know this error from when I was working with a tomcat. The Problem was, that I was trying to connect with TLSv1, while it only allowed TLSv1.1.

ErikNeudert avatar Aug 02 '18 09:08 ErikNeudert

date una vuelta por https://github.com/areliszxz/nginx-grpc-grpcs asi nomas te digo usa NGINX para hacer debug y asegurate de tener bien los certificados la mayoria de estos problemas son por la cominicacion del cliente-servidor [Servidor WEB apache o nginx u otro] servidor-cliente te recomiento nginx-debug para ver como esta entrando la peticion, es un poco mas claro en ese aspecto

areliszxz avatar Mar 19 '19 22:03 areliszxz

The same problem with grpc 1.18.0 . The C++ server and the C++ client are run on the same host. OS - CentOS 7 with the last updates on a moment. Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number. TLS Connection with a check of user cert Client side

		grpc::SslCredentialsOptions ssl_opts = {
				file::getBinaryContent<grpc::string>(cacert),
				file::getBinaryContent<grpc::string>(key),
				file::getBinaryContent<grpc::string>(cert)
			};
		auto channel_creds = grpc::SslCredentials(ssl_opts);
		auto channel = grpc::CreateChannel(server, channel_creds);
		client.reset(new Client(channel));

Server side

		grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {
			file::getBinaryContent<grpc::string>(GetConfig().serverSettings().key),
			file::getBinaryContent<grpc::string>(GetConfig().serverSettings().cert)
		};
		grpc::SslServerCredentialsOptions
		ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);

		//ssl_opts.force_client_auth = true;
		ssl_opts.pem_root_certs = file::getBinaryContent<grpc::string>(
			GetConfig().serverSettings().cacert);

		ssl_opts.pem_key_cert_pairs.push_back(pkcp);

		builder.AddListeningPort(GetConfig().serverSettings().address,
			grpc::SslServerCredentials(ssl_opts));

A same situation if I remove client certificate check autentification. Note, server is accessible by Windows C# client.
ldd server linux-vdso.so.1 => (0x00007ffea3161000) libz.so.1 => /lib64/libz.so.1 (0x00007f0b7a7e0000) libgrpc++.so.1 => /usr/local/lib/libgrpc++.so.1 (0x00007f0b7a54f000) libgrpc.so.7 => /usr/local/lib/libgrpc.so.7 (0x00007f0b7a1c2000) libcassandra.so.2 => /lib64/libcassandra.so.2 (0x00007f0b79db9000) libgrpc++_reflection.so.1 => /usr/local/lib/libgrpc++_reflection.so.1 (0x00007f0b799df000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0b797db000) libboost_program_options.so.1.53.0 => /lib64/libboost_program_options.so.1.53.0 (0x00007f0b79569000) libboost_system.so.1.53.0 => /lib64/libboost_system.so.1.53.0 (0x00007f0b79365000) libboost_thread-mt.so.1.53.0 => /lib64/libboost_thread-mt.so.1.53.0 (0x00007f0b7914e000) libboost_system-mt.so.1.53.0 => /lib64/libboost_system-mt.so.1.53.0 (0x00007f0b78f4a000) librt.so.1 => /lib64/librt.so.1 (0x00007f0b785fb000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f0b782f4000) libm.so.6 => /lib64/libm.so.6 (0x00007f0b77ff2000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f0b77ddc000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0b77bc0000) libc.so.6 => /lib64/libc.so.6 (0x00007f0b777f3000) /lib64/ld-linux-x86-64.so.2 (0x00007f0b7a9f6000) libprofiler.so.0 => /lib64/libprofiler.so.0 (0x00007f0b775df000) libgpr.so.7 => /usr/local/lib/libgpr.so.7 (0x00007f0b773d3000) libssl.so.10 => /lib64/libssl.so.10 (0x00007f0b77161000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f0b76d00000) libuv.so.1 => /lib64/libuv.so.1 (0x00007f0b76ad4000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f0b768ba000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0b766a1000) libtinyxml2.so.2 => /lib64/libtinyxml2.so.2 (0x00007f0b7648c000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f0b7623f000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f0b75f56000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f0b75d52000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f0b75b1f000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f0b7590f000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f0b7570b000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f0b754e4000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f0b75282000) If it helps $ yum info openssl Name : openssl Version : 1.0.2k Release : 16.el7 Size : 814 k Grpc libs were built by standart procedure from git sources v1.18.0 Server side logs I0328 14:44:39.401028274 51500 tcp_posix.cc:419] READ 0x7f2d100033b0 (peer=ipv4:127.0.0.1:60320): 50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a 00 00 24 04 00 00 00 00 00 00 02 00 00 00 00 00 03 00 00 00 00 00 04 00 40 00 00 00 05 00 40 00 00 00 06 00 00 20 00 fe 03 00 00 00 01 00 00 04 08 00 00 00 00 00 00 3f 00 01 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 'PRI * HTTP/2.0....SM......$.....................@.....@...... .................?...................' I0328 14:44:39.401083475 51500 ssl_transport_security.cc:217] HANDSHAKE START - before/accept initialization - UNKWN I0328 14:44:39.401145076 51500 ssl_transport_security.cc:217] LOOP - before/accept initialization - UNKWN E0328 14:44:39.401183077 51500 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number. D0328 14:44:39.401207777 51500 security_handshaker.cc:138] Security handshake failed: {"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} I0328 14:44:39.401217478 51500 ev_posix.cc:273] (fd-trace) fd_shutdown(17) I0328 14:44:39.401246278 51500 handshaker.cc:212] handshake_manager 0x7f2d10003850: error={"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} shutdown=0 index=1, args={endpoint=(nil), args=(nil) {size=0: (null)}, read_buffer=(nil) (length=0), exit_early=0} I0328 14:44:39.401255578 51500 handshaker.cc:245] handshake_manager 0x7f2d10003850: handshaking complete -- scheduling on_handshake_done with error={"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} D0328 14:44:39.401264079 51500 chttp2_server.cc:123] Handshaking failed: {"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} I0328 14:44:39.401314680 51500 ev_posix.cc:266] (fd-trace) grpc_fd_orphan, fd:17 closed Client side logs: D0328 14:52:22.295158717 51791 call.cc:720] {"created":"@1553773942.295146117","description":"Error received from peer","file":"src/core/lib/surface/call.cc","file_line":1036,"grpc_message":"Socket closed","grpc_status":14} I0328 14:52:22.295167218 51791 completion_queue.cc:699] cq_end_op_for_next(cq=0x7fa9d400f1f0, tag=0x7fa9d40108a8, error="No Error", done=0x7fa9dea0b7e0, done_arg=0x7fa9d4010c10, storage=0x7fa9d4010c60) I0328 14:52:22.295180218 51791 chttp2_transport.cc:2590] ipv4:127.0.0.1:50051: Complete BDP ping err={"created":"@1553773942.294964413","description":"Endpoint read failed","file":"src/core/ext/transport/chttp2/transport/chttp2_transport.cc","file_line":2491,"occurred_during_write":0,"referenced_errors":[{"created":"@1553773942.294925313","description":"Socket closed","fd":10,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":479,"grpc_status":14,"target_address":"ipv4:127.0.0.1:50051"}]}

Reproduced on certifactes openssl genrsa -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -subj "/C=RU/ST=RU/O=RU/CN=host" -out rootCA.crt openssl req -new -sha256 -key server.key -subj "/C=RU/ST=CA/O=MyOrg, Inc./CN=host" -out server.csr openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 cp -f server.key client.key cp -f server.crt client.crt Same certificates works with C# gRPC client from windows host.

zlygostev avatar Mar 20 '19 11:03 zlygostev

Any updates on this issue? I am also getting the same error.

bagulm123 avatar Jun 16 '20 17:06 bagulm123